Drupal Unspecified CSRF

2006-10-18T03:49:07
ID OSVDB:29926
Type osvdb
Reporter Garvin Hicking()
Modified 2006-10-18T03:49:07

Description

Vulnerability Description

Drupal contains a flaw that may allow a malicious user to forge HTTP requests to another Drupal website with the privileges of the currently logged on user. It is possible that this cross-site request forgery flaw may allow the posting of PHP code, the adding of users or changing of passwords on the affected website.

Solution Description

Upgrade to version 4.6.10 or 4.7.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Drupal contains a flaw that may allow a malicious user to forge HTTP requests to another Drupal website with the privileges of the currently logged on user. It is possible that this cross-site request forgery flaw may allow the posting of PHP code, the adding of users or changing of passwords on the affected website.

References:

Vendor URL: drupal.org Vendor Specific Advisory URL Secunia Advisory ID:22486 Related OSVDB ID: 29927 Related OSVDB ID: 29922 Other Advisory URL: http://www.openpkg.org/security/advisories/OpenPKG-SA-2006.025-drupal.html Mail List Post: http://archives.neohapsis.com/archives/fulldisclosure/2006-10/0397.html Keyword: DRUPAL-SA-2006-025 ISS X-Force ID: 29679 FrSIRT Advisory: ADV-2006-4120 CVE-2006-5476